The recent controversy involving Apple’s refusal to assist with FBI efforts to obtain access to the iPhone used by the perpetrators of the San Bernardino massacre features a good deal of discussion about the use of encryption to prevent disclosure of data on the phone. This discussion is often framed as one involving the nature of Americans’ privacy rights. This may cause some to wonder if encryption is now frowned upon as a technique for preventing data breaches.
The short answer with respect to safeguarding consumer financial and health data in day to day commercial use is NO. All of the admonitions of which we have advised commercial clients regarding their obligations to take technical and operational steps to safeguard data remain in effect. (Click here to read "Let's Have Coffee! Why your CTO and Privacy Lawyer Should be Well Acquainted) For example, the FTC’s strong endorsement in the Wyndham settlement of the Payment Card Industry standards, which emphasize encryption, remains unchanged. Clients who fail to utilize and update prevailing technical practices, are at serious risk of legal and financial consequences from the inevitable occurrence of a data breach. Similar admonitions exist from financial regulators.
The Apple controversy does not involve the use of encryption per se. No one is claiming that it is inappropriate in the ordinary course. The present issue is simply whether one deploying such technology has an obligation to assist law enforcement in its ‘decryption’ in connection with an investigation of criminal conduct. Many knowledgeable observers believe that such an obligation opens the door to intrusive government observation of the law-abiding.
The provision to law enforcement of such a ‘backdoor’ as it is often called, is also feared by many observers to be a potential entry point (i) not just for law enforcement, but also for nimble hackers, and (ii) not just for one iPhone but for potentially any of them. Indeed, the present controversy appears to have already grown beyond unlocking just the one phone. (Click here to read the New York Times article "Apple Faces U.S. Demand to Unlock 9 More iPhones") .
While there are many very important legal and public policy issues associated with this debate and more generally to the relationship of citizens with government and the nature of our civil liberties, none of this has anything to do with day to day commercial practice. Those obtaining personally identifiable information and/or personal health information from consumers are still required to use appropriate technical measures to protect it from unauthorized disclosure. No matter how the Apple situation is resolved, this will not change.